Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
25
Helpful
11
Replies

Entering specific or more broad subnet on devices in regards to Security.

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎10-09-2020 06:19 AM

Just checking with the community.

Let's say you have an environment where all traffic external traffic is checked at the Firewall.

Example:

ip route 10.10.10.115 255.255.255.248 1.1.1.1 and

ip route 10.10.10.30  255.255.255.248 1.1.1.1

as opposed to 

ip route 10.10.10.0 255.255.255.0 1.1.1.1

 

Would you still prefer to enter specific route statements as opposed to using a CIDR to cover everything in addition to IPs that are not allowed at the Firewall? As the network grows you would have much more routes compared to less routes entered on your devices so what are you thoughts from that standpoint? 

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎10-09-2020 06:52 AM

Hello,

 

are the 10.10.10.x networks external or internal networks ? What is the destination,1.1.1.1 ? Is that an external or internal destination ? In general, for external routing, the firewall would need only a default route.

 

ip route 0.0.0.0 0.0.0.0 1.1.1.1

View solution in original post

Go to solution
paul driver
VIP
VIP

‎10-09-2020 07:30 AM

Hello

Longer-prefixes are always most preffered, A router will always choose a more specifc route, if their a multple routes with the same length then admistrative distance of the routing protocol or static route comes into play.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎10-09-2020 10:41 AM

I am sure that there are aspects of this question that I do not understand fully. But it seems to me that the question is asking about 2 aspects of configuring and managing firewalls (and perhaps other network equipment). One aspect is configuring and administering the firewall. From this perspective summarization/CIDR makes it easier and so might be preferred. The other aspect is security on the firewall. From this perspective more granular control (more entries with more specific masks) is better. These perspectives might be mutually exclusive (easy to have one, difficult to have both). Both perspectives are valid, but probably one is more important to the organization than the other. Which one is most important in your organization?

 

If I have misunderstood something please provide clarification.

HTH

Rick

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎10-13-2020 07:23 AM

What I was trying to say in my response is that neither approach is inherently better than the other. It is a choice to be made organization by organization depending on the local criteria. Your choice of summarization sounds appropriate for your situation. Thanks for marking this question as solved. 

HTH

Rick

View solution in original post

11 Replies 11

Go to solution
Georg Pauwen
VIP
VIP

‎10-09-2020 06:52 AM

Hello,

 

are the 10.10.10.x networks external or internal networks ? What is the destination,1.1.1.1 ? Is that an external or internal destination ? In general, for external routing, the firewall would need only a default route.

 

ip route 0.0.0.0 0.0.0.0 1.1.1.1

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Georg Pauwen

‎10-09-2020 06:55 AM

No all IPs are external.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CiscoPurpleBelt

‎10-09-2020 07:23 AM

Hello,

 

the default route should be sufficient then. It is what you typically see on firewalls.

Go to solution
paul driver
VIP
VIP

‎10-09-2020 07:30 AM

Hello

Longer-prefixes are always most preffered, A router will always choose a more specifc route, if their a multple routes with the same length then admistrative distance of the routing protocol or static route comes into play.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to paul driver

‎10-09-2020 07:55 AM

Yes but what about from a management/admin and security standpoint. 

Let's say you have a bunch of single host IP destinations that don't all fall in the same subnets. You would have a lot of statements to add as opposed to just adding one large subnet statement which would allow all those IPs but then many more which is not needed, however yes they are blocked the the FW so still would not pass through the Firewall anyway.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎10-09-2020 10:41 AM

I am sure that there are aspects of this question that I do not understand fully. But it seems to me that the question is asking about 2 aspects of configuring and managing firewalls (and perhaps other network equipment). One aspect is configuring and administering the firewall. From this perspective summarization/CIDR makes it easier and so might be preferred. The other aspect is security on the firewall. From this perspective more granular control (more entries with more specific masks) is better. These perspectives might be mutually exclusive (easy to have one, difficult to have both). Both perspectives are valid, but probably one is more important to the organization than the other. Which one is most important in your organization?

 

If I have misunderstood something please provide clarification.

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎10-13-2020 06:52 AM

Yes that was what I was thinking. Well lets just say basically the decision is solely on me. I may just go with summarization since subnets are checked at the Firewall.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎10-13-2020 07:23 AM

What I was trying to say in my response is that neither approach is inherently better than the other. It is a choice to be made organization by organization depending on the local criteria. Your choice of summarization sounds appropriate for your situation. Thanks for marking this question as solved. 

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎11-02-2020 05:34 AM

Thanks again Richard and Cisco Gurus!

0 Helpful

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to paul driver

‎11-02-2020 05:34 AM

Thanks again Paul and Cisco Gurus!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎11-02-2020 07:22 AM

You asked an interesting (and significant) question and have received multiple responses, each representing a different perspective. As we said there is not any single "one size fits all" right answer. There are multiple perspectives to consider and the best choice will depend on the particular organization for which the question is asked. Thank you for marking the question as solved.

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card